netsec-sig - Re: [Security-WG] [NTAC] Perverse Routing
Subject: Internet2 Network Security SIG
List archive
- From: Jeff Bartig <>
- To: David Farmer <>
- Cc: NTAC <>, "" <>, "" <>
- Subject: Re: [Security-WG] [NTAC] Perverse Routing
- Date: Mon, 30 Dec 2019 17:12:28 +0000
Dave, There are multiple issues happening here, as you've noted. First, there are routes being leaked from various networks/campuses that probably shouldn't be leaked. We talked about this type of issue on the last Routing Security Office Hours call we held. Networks need to use more than a simple prefix list in order to select their customer routes to advertise to peers and upstream providers. BGP community tags are a very useful tool to help solve this problem. If you have downstream BGP customers, then on ingress, these routes can be tagged with an informational BGP community that identifies that these routes were learned from a customer. When the routes are exported to a peer or upstream provider, then you can select the routes based on them having the customer BGP community tag. If you simply use a prefix list, then it opens up the possibility that you will eventually take a matching route learned from a peer or paid transit provider and advertise that route to peers and upstream providers. I'm guessing that is what happened in many of these cases. These types of problems can remain hidden, as long as you have your real customer routes with a higher local preference. The leaks only happen when the higher preference customer route is no longer in the network's routing table. This could be a temporary situation due to an outage or a permanent situation due to the downstream network no longer being a customer. In those situations, the best path could be via paid transit or other peering, rather than a direct customer neighbor. A simple prefix list used on upstream and peer neighbors will allow this route to leak. The second issue is that networks propagated these routes. While some of these routes were learned by Internet2 from peers, many came from Connectors/Participants. For every customer BGP neighbor, Internet2 does have a prefix list that only accepts prefixes that belong to the downstream participants. Internet2 also tags these routes with a customer BGP community tag. Internet2 does have a sanity AS path filter to drop routes with commercial transit ASNs in the path. Looking through the router configs, there are several of these ASN lists that are used depending upon the type of neighbor (customer or peer), v4 vs v6, and which Internet2 network (R&E or I2PX). Some of these lists are incomplete and way out of date. When they get updated, they should block most of what you've identified below. Many of the leaks you identified happened more than one AS hop away from Internet2. While Internet2 cleaning up its sanity AS path filtering will help, the networks between Internet2 and the leak should be implementing similar AS path filtering. If they are allowing these leaked routes to be advertised to Internet2, then they are possibly also advertising the leaked routes to other peers and upstream transit providers. Although Internet2's filtering is incomplete, it is still successfully blocking routes with many commercial ASNs in the path. This is probably hiding the scope of this issue at the regional network level. Had Internet2's AS path filters been up to date, this would completely hide visibility of this issue from an Internet2 perspective. The topic of reintroducing BGP routing tutorials has come up many times recently. I think the issues you've noticed are another indicator that there is a need for tutorials and better information for our community on BGP best practices. Jeff David Farmer wrote on 12/28/19 12:34 PM:
===============================================
David Farmer Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 =============================================== |
- [Security-WG] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Chris Robb, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Jeff Bartig, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Jeff Bartig, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Bill Owens, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Michael H Lambert, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Michael H Lambert, 12/29/2019
- Re: [Security-WG] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] Perverse Routing, David Farmer, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Chris Robb, 12/28/2019
Archive powered by MHonArc 2.6.19.